Detection rule to identify
- Sign-in failure, bad password threshold
- Failure because of Conditional Access requirement
- Privileged accounts that don't follow naming policy
- Interrupt
- Privileged accounts that don't follow naming policy
- Discover privileged accounts not registered for multi-factor authentication
- Account lockout
- Account disabled or blocked for sign-ins
- MFA fraud alert or block
- MFA fraud alert or block
- Privileged account sign-ins outside of expected controls
- Outside of normal sign-in times
- Identity protection risk
- Password change
- Change in legacy authentication protocol
- New device or location
- Audit alert setting is changed
- Administrators authenticating to other Azure AD tenants
- Admin User state changed from Guest to Member
- Guest users invited to tenant by non-approved inviters